Best way to use verify signed Docker images

We’re planning to sign all Docker images before pushing them to our Registry either using Docker Content Trust + Notary or using Cosign (GitHub - sigstore/cosign: Container Signing).

However, this only solves one-half of the Security Supply Chain picture; we’d like to verify the image’s signature at runtime on Nomad.

What’s the best way to accomplish this? I didn’t see anything in the Docker driver documentation. Is there a way to add a pre or post-hook to pulling the docker image to add a step to verify the digital signature on it? Is there any support for validating the integrity of Docker images?